import * as pulumi from "@pulumi/pulumi"; /** * Manages a Key Vault Managed Hardware Security Module Key. * * > **Note:** The Azure Provider includes a Feature Toggle which will purge a Key Vault Managed Hardware Security Module Key resource on destroy, rather than the default soft-delete. See `purgeSoftDeletedHardwareSecurityModulesOnDestroy` for more information. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const current = azure.core.getClientConfig({}); * const example = new azure.keyvault.ManagedHardwareSecurityModule("example", { * name: "example", * resourceGroupName: exampleAzurermResourceGroup.name, * location: exampleAzurermResourceGroup.location, * skuName: "Standard_B1", * tenantId: current.then(current => current.tenantId), * adminObjectIds: [current.then(current => current.objectId)], * purgeProtectionEnabled: false, * activeConfig: [{ * securityDomainCertificate: [ * cert[0].id, * cert[1].id, * cert[2].id, * ], * securityDomainQuorum: 2, * }], * }); * // this gives your service principal the HSM Crypto User role which lets you create and destroy hsm keys * const hsm_crypto_user = new azure.keyvault.ManagedHardwareSecurityModuleRoleAssignment("hsm-crypto-user", { * managedHsmId: test.id, * name: "1e243909-064c-6ac3-84e9-1c8bf8d6ad22", * scope: "/keys", * roleDefinitionId: "/Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b", * principalId: current.then(current => current.objectId), * }); * // this gives your service principal the HSM Crypto Officer role which lets you purge hsm keys * const hsm_crypto_officer = new azure.keyvault.ManagedHardwareSecurityModuleRoleAssignment("hsm-crypto-officer", { * managedHsmId: test.id, * name: "1e243909-064c-6ac3-84e9-1c8bf8d6ad23", * scope: "/keys", * roleDefinitionId: "/Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778", * principalId: current.then(current => current.objectId), * }); * const exampleManagedHardwareSecurityModuleKey = new azure.keyvault.ManagedHardwareSecurityModuleKey("example", { * name: "example", * managedHsmId: test.id, * keyType: "EC-HSM", * curve: "P-521", * keyOpts: ["sign"], * }, { * dependsOn: [ * testAzurermKeyVaultManagedHardwareSecurityModuleRoleAssignment, * test1, * ], * }); * ``` * * ## API Providers * * * This resource uses the following Azure API Providers: * * * `Microsoft.KeyVault` - 2023-07-01 * * ## Import * * Key Vault Managed Hardware Security Module Key can be imported using the `resource id`, e.g. * * ```sh * $ pulumi import azure:keyvault/managedHardwareSecurityModuleKey:ManagedHardwareSecurityModuleKey example https://exampleHSM.managedhsm.azure.net/keys/exampleKey * ``` */ export declare class ManagedHardwareSecurityModuleKey extends pulumi.CustomResource { /** * Get an existing ManagedHardwareSecurityModuleKey resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: ManagedHardwareSecurityModuleKeyState, opts?: pulumi.CustomResourceOptions): ManagedHardwareSecurityModuleKey; /** * Returns true if the given object is an instance of ManagedHardwareSecurityModuleKey. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is ManagedHardwareSecurityModuleKey; /** * Specifies the curve to use when creating an `EC-HSM` key. Possible values are `P-256`, `P-256K`, `P-384`, and `P-521`. This field is required if `keyType` is `EC-HSM`. Changing this forces a new resource to be created. */ readonly curve: pulumi.Output; /** * Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). When this parameter gets changed on reruns, if newer date is ahead of current date, an update is performed. If the newer date is before the current date, resource will be force created. */ readonly expirationDate: pulumi.Output; /** * A list of JSON web key operations. Possible values include: `decrypt`, `encrypt`, `sign`, `unwrapKey`, `verify`, `wrapKey` and `import`. Please note these values are case-sensitive. */ readonly keyOpts: pulumi.Output; /** * Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. *Note*: This field is required if `keyType` is `RSA-HSM` or `oct-HSM`. Changing this forces a new resource to be created. */ readonly keySize: pulumi.Output; /** * Specifies the Key Type to use for this Key Vault Managed Hardware Security Module Key. Possible values are `EC-HSM`, `oct-HSM` and `RSA-HSM`. More details see [HSM-protected keys](https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys#hsm-protected-keys). Changing this forces a new resource to be created. */ readonly keyType: pulumi.Output; /** * Specifies the ID of the Key Vault Managed Hardware Security Module that they key will be owned by. Changing this forces a new resource to be created. */ readonly managedHsmId: pulumi.Output; /** * Specifies the name of the Key Vault Managed Hardware Security Module Key. Changing this forces a new resource to be created. */ readonly name: pulumi.Output; /** * Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z'). * * > **Note:** Once `expirationDate` is set, it's not possible to unset the key even if it is deleted & recreated as underlying Azure API uses the restore of the purged key. */ readonly notBeforeDate: pulumi.Output; /** * A mapping of tags to assign to the resource. */ readonly tags: pulumi.Output<{ [key: string]: string; } | undefined>; /** * The versioned Key Vault Secret Managed Hardware Security Module Key ID. */ readonly versionedId: pulumi.Output; /** * Create a ManagedHardwareSecurityModuleKey resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: ManagedHardwareSecurityModuleKeyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering ManagedHardwareSecurityModuleKey resources. */ export interface ManagedHardwareSecurityModuleKeyState { /** * Specifies the curve to use when creating an `EC-HSM` key. Possible values are `P-256`, `P-256K`, `P-384`, and `P-521`. This field is required if `keyType` is `EC-HSM`. Changing this forces a new resource to be created. */ curve?: pulumi.Input; /** * Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). When this parameter gets changed on reruns, if newer date is ahead of current date, an update is performed. If the newer date is before the current date, resource will be force created. */ expirationDate?: pulumi.Input; /** * A list of JSON web key operations. Possible values include: `decrypt`, `encrypt`, `sign`, `unwrapKey`, `verify`, `wrapKey` and `import`. Please note these values are case-sensitive. */ keyOpts?: pulumi.Input[]>; /** * Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. *Note*: This field is required if `keyType` is `RSA-HSM` or `oct-HSM`. Changing this forces a new resource to be created. */ keySize?: pulumi.Input; /** * Specifies the Key Type to use for this Key Vault Managed Hardware Security Module Key. Possible values are `EC-HSM`, `oct-HSM` and `RSA-HSM`. More details see [HSM-protected keys](https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys#hsm-protected-keys). Changing this forces a new resource to be created. */ keyType?: pulumi.Input; /** * Specifies the ID of the Key Vault Managed Hardware Security Module that they key will be owned by. Changing this forces a new resource to be created. */ managedHsmId?: pulumi.Input; /** * Specifies the name of the Key Vault Managed Hardware Security Module Key. Changing this forces a new resource to be created. */ name?: pulumi.Input; /** * Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z'). * * > **Note:** Once `expirationDate` is set, it's not possible to unset the key even if it is deleted & recreated as underlying Azure API uses the restore of the purged key. */ notBeforeDate?: pulumi.Input; /** * A mapping of tags to assign to the resource. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The versioned Key Vault Secret Managed Hardware Security Module Key ID. */ versionedId?: pulumi.Input; } /** * The set of arguments for constructing a ManagedHardwareSecurityModuleKey resource. */ export interface ManagedHardwareSecurityModuleKeyArgs { /** * Specifies the curve to use when creating an `EC-HSM` key. Possible values are `P-256`, `P-256K`, `P-384`, and `P-521`. This field is required if `keyType` is `EC-HSM`. Changing this forces a new resource to be created. */ curve?: pulumi.Input; /** * Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). When this parameter gets changed on reruns, if newer date is ahead of current date, an update is performed. If the newer date is before the current date, resource will be force created. */ expirationDate?: pulumi.Input; /** * A list of JSON web key operations. Possible values include: `decrypt`, `encrypt`, `sign`, `unwrapKey`, `verify`, `wrapKey` and `import`. Please note these values are case-sensitive. */ keyOpts: pulumi.Input[]>; /** * Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. *Note*: This field is required if `keyType` is `RSA-HSM` or `oct-HSM`. Changing this forces a new resource to be created. */ keySize?: pulumi.Input; /** * Specifies the Key Type to use for this Key Vault Managed Hardware Security Module Key. Possible values are `EC-HSM`, `oct-HSM` and `RSA-HSM`. More details see [HSM-protected keys](https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys#hsm-protected-keys). Changing this forces a new resource to be created. */ keyType: pulumi.Input; /** * Specifies the ID of the Key Vault Managed Hardware Security Module that they key will be owned by. Changing this forces a new resource to be created. */ managedHsmId: pulumi.Input; /** * Specifies the name of the Key Vault Managed Hardware Security Module Key. Changing this forces a new resource to be created. */ name?: pulumi.Input; /** * Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z'). * * > **Note:** Once `expirationDate` is set, it's not possible to unset the key even if it is deleted & recreated as underlying Azure API uses the restore of the purged key. */ notBeforeDate?: pulumi.Input; /** * A mapping of tags to assign to the resource. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input; }>; }